[CVE-2020-8162] Circumvention of file size limits in ActiveStorage

1,978 views
Skip to first unread message

Aaron Patterson

unread,
May 18, 2020, 11:55:22 AM5/18/20
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com
Circumvention of file size limits in ActiveStorage

There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
direct file upload to be modified by an end user. This vulnerability has been assigned the CVE identifier CVE-2020-8162.

Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
new signature from the server. This could be used to bypass controls in place on the server to limit upload size.

Releases
--------

Rails 5.2.4.3 and 6.0.3.1 are available on RubyGems.

Workarounds
-----------

This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.

Patches
-------

For developers who are not able to immediately patch their applications,
we are including the following patches for Rails 6.0.3 and Rails 5.2.4.2.

* 5-2-activestorage-s3-adapter.patch
* 6-0-activestorage-s3-adapter.patch


Credits
-------

Thanks to Travis Pew (@travisp) for reporting this issue via our HackerOne bug bounty program and providing a patch.
5-2-activestorage-s3-adapter.patch
6-0-activestorage-s3-adapter.patch
Reply all
Reply to author
Forward
0 new messages